Document Type

Publisher

Abstract

The popularity of Android devices has resulted in a requirement for a process to extract and analyse data in a forensically sound manner. There is a wide range of devices which use the Android operating system, and hence a standard process for forensic extraction and analysis for all devices is not possible. Many devices use the Yet Another Flash File System (YAFFS), which introduces an additional layer of forensic requirements. Focussing on the internal storage of a Sony Ericsson Xperia x10i, a process to extract both logical and physical data from the internal NAND memory is possible after gaining super user access. Data was extracted in different formats by using a variety of software processes, such as SuperOneClick, dd, xRecovery, NANDdump, Yaffs2utils and Android Debug Bridge. Analysis of the extracts was then undertaken to determine the type of data available from the different extraction methods, which included Logical file extraction, Physical data with YAFFS spare information, and also without the YAFFS spare data. The analysis showed that the NANDdump has generated a bit-by-bit dump of the internal flash memory.

Comments

Originally published in the Proceedings of the 9th Australian Digital Forensics Conference, Edith Cowan University, Perth Western Australia, 5th -7th December 2011